Is OpenSpecimen CFR Part-11 Compliant?

The short answer is Yes.

However, it is important to note that the software itself cannot be compliant. Rather, it is the implementation and use of software that determines compliance. It is achieved only when a study has the procedures, policies, documentation, training, and validation that meets Part-11 requirements. An FDA auditor will review all documentation (software and non-software) to determine at a study level whether the study is compliant.

That being said, the FDA has put forth certain requirements for systems used in healthcare and laboratories that maintain electronic records and electronic signatures. In this article, we compare and discuss these requirements and OpenSpecimen’s compliance with them.

Electronic Signature

The security features of OpenSpecimen abide by the requirements laid down by the FDA for electronic records in closed systems.In OpenSpecimen, users have to log in to the system using a combination of user ID and password.Each entry or change in a record is made under the electronic signature of the individual making that entry.

Following are the other security features:

The records are stored and are retrievable in a human-readable as well as electronic format

Their access is limited to authorized users only

User accounts are locked after a specific number of failed login attempts

The name of the user is displayed on the screen throughout the session to avoid the possibility of an individual inadvertently entering data under someone else’s name.

When someone leaves a workstation for longer than a specific time period, the system automatically logs the user off.

NOTE: You can create passwords either within the OpenSpecimen database OR using the institution’s Identity Provider (or LDAP/SAML).

Audit Trail

The FDA further mandates maintaining computer generated and human-readable audit trails. OpenSpecimen maintains an audit trail for addition, deletion or modification of the records and also for successful and unsuccessful login attempts.

The audit information stored in the OpenSpecimen database includes:

A timestamp of the event

IP Address of the machine (or proxy server) on which the browser was running

User id who performed the event

Values of the records inserted or edited

In the case of a modified value, the system stores both the old and new values

The audit trail is stored in the database permanently until the administrator physically deletes it. System users will never be able to modify the audit log of the system.

Software Development Practice

Detailed documentation forms an essential part of any validation. As the popular saying goes- “if it’s not documented, it didn’t happen”.

The development cycle of OpenSpecimen follows standard practices. We document every step of the cycle including- requirement definition, planning, tracking, validation & testing before releasing a new feature or version. This is followed by release documentation, change management, and independent review activities post-release.

We extensively use JIRA (for tracking) and Confluence (for documentation). Being an open-source project, all OpenSpecimen documentation is publicly accessible for review and audit.

Support Practice

We track support tickets using an online tracking tool called JIRA and email monthly logs to the clients. Every server administration activity is performed only after the client’s written approval. We maintain a log of change for future reference and audit.

We also provide web-based or on-site training to the users as a part of the initial implementation. Further, customers can also request for additional training sessions as a part of the support contract. End-user training is one of the most important aspects of Part-11 compliance.

Summary

OpenSpecimen is compliant with the FDA regulations for electronic records and signatures in a closed system. However, from the implementation aspect, you can achieve compliance only with an ecosystem of various components like software, hardware, training, documentation, etc. Krishagni provides validated cloud instances and validation services for clients who are interested.